CVE-2025-10181 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Draft List WordPress plugin developed by dartiss. This vulnerability exists in all versions up to and including 2.6 of the plugin. The root cause is insufficient sanitization and escaping of user-supplied attributes in the 'drafts' shortcode, which allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected WordPress site. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS v3.1 base score of 6.4 (medium severity). The attack vector is network-based, requires low attack complexity, and privileges of at least contributor level, but does not require user interaction for exploitation. The scope is changed, indicating that the vulnerability can affect resources beyond the initially compromised component. No known exploits are currently reported in the wild, and no official patches have been published yet. The vulnerability was publicly disclosed on September 20, 2025.

For European organizations using WordPress sites with the Draft List plugin installed, this vulnerability poses a significant risk to website integrity and user trust. An attacker with contributor-level access could embed malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to credential theft, unauthorized actions, or defacement. This could result in data breaches, reputational damage, and compliance violations under regulations such as GDPR, especially if personal data is compromised. The medium severity score reflects the need for timely remediation to prevent exploitation. Organizations relying on WordPress for public-facing or internal sites should consider this vulnerability critical to their web security posture. Since the vulnerability requires authenticated access, insider threats or compromised contributor accounts are primary risk vectors. The stored nature of the XSS means that the malicious payload persists and can affect multiple users over time, increasing potential impact.

1. Immediate mitigation should include restricting contributor-level access to trusted users only and reviewing existing contributor accounts for suspicious activity. 2. Implement Web Application Firewall (WAF) rules to detect and block malicious scripts targeting the 'drafts' shortcode or suspicious payloads in user inputs. 3. Monitor logs for unusual shortcode usage or unexpected script injections. 4. Until an official patch is released, consider disabling or removing the Draft List plugin if it is not essential. 5. Educate content contributors about safe input practices and the risks of injecting scripts. 6. Once available, promptly apply vendor patches or updates addressing this vulnerability. 7. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on affected sites. 8. Conduct regular security audits and penetration testing focusing on plugin vulnerabilities and user input sanitization.